1. Botnets and Alife
Botnets and Alife
2. Botnets and Alife
NTS222 Final Project- Botnets
What is a botnet? Why does the subject occupy such a prominent place in the standardized,
processed information that is currently labeled as ‘News’. Does it really present a threat to the
average computer user, or is the phenomena simply part of the international corporate agenda?
To begin with, I would like to quote SANS (www.sans.org/reading_room/malicious/1299.php):
“Using thousands of zombie machines to launch distributed denial of service attack(s) against
enterprise and government resources is becoming [a] dangerously common trend. Recently, there
Is a growing trend towards attackers using Internet Relay Chat(IRC) networks for controlling &
managing infected internet hosts.” I believe that the key word here is ‘resources’.
Wikipedia says the term ‘botnet’ is “generally used to refer to a collection of compromised, or
zombie computers running programs, usually referred to as worms, Trojan horses, or backdoors,
under a common command and control infrastructure. A botnet’s originator (aka ‘bot herder’}
can control the group remotely, usually through a means such as IRC, and usually for nefarious
purposes. Individual programs manifest as IRC ‘bots’. Often the command and control takes
place via an IRC server or a specific channel on a public IRC network. A bot typically runs
hidden, and complies with the IRC 1459 (http:/ietf.org/html/rfc 1459) (IRC) standard.
Generally, the perpetrator of the botnet has compromised a series of systems using various tools
(exploits, buffer flows, as well as others; see also RPC). Newer bots can automatically scan
their environment and propagate themselves using vulnerabilities and weak passwords. Generally
the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a
botnet controller community.”
A botnet may be viewed as a natural outcome of the commoditization of information.
Biologist Thomas Ray, in a 1994 paper (Thomas S.Ray :Evolution, Complexity, Entropy, and
3. Botnets and Alife
Artificial Reality Physica D 75:239-263, 1994) described setting up an artificial life (alife)
computer simulation called Tierra in which digital organisms competed for computer resources
(CPU cycles, memory,etc). setting up an analogue for Darwin’s ‘survival of the fittest’.
From an original ‘ancestor’ organism with a length of eighty instructions, mutants began
to evolve with shorter instruction sets. At a certain point ‘parasites’ with only forty-five
instructions appeared. Hosts developed defenses, parasites found new means of attack.
Like botnets versus the legitimate internet ‘hosts’, the war was on. Later, ‘hyperparasites’
evolved, which could steal the replication of the parasites. Today, we can see the beginning of
this latter process on the Internet, as it becomes evolutionarily ‘cheaper’ for one botnet owner
to steal another’s network than to set up a new one. On the net, the security holes in the newly
stolen botnet are often closed and the zombies given defensive abilities against other would-be
botnet thieves. In the Artificial Life version of this struggle, the original parasites were driven to
extinction, and a cooperative cycle evolved between groups of hyperparasites who relied on their
neighbors for more efficient growth. A new breed of parasite soon evolved which took advantage
of the cooperative cycle for its own ends. The end result was an open-ended evolutionary process.
Ray’s study suggests the direction of the external form of botnets and their organization on the
net. However, like the supposedly empirical stock market, reacting to laws of supply and
demand, the missing factor is the human one. We also see a parallel phenomenon with
corporations using tax breaks altruistically allocated by Government in order to generate new jobs
and new factories being used to take over competitors and slash their employment. It is simply
a more efficient use of resources.
There are currently three common bot variants. WWW.honeynet.org calls them
1)Agobot/Phatbot/Forbot/XtremBot , 2)SDBot/Rbot/UrBot/UrXbot, and MiRC-based bots – GT-
4. Botnets and Alife
Bots. Agobots, the first category, is probably the best known. This is a C++ bot with cross-
platform abilities. It is modularly structured, easy to add commands or vulnerability scanners to.
Agobot employs sniffers, Alternate Data Streams, and rootkits to hide itself. It can detect
debuggers used by forensic computer specialists and virtual machines such as VMWare,
as well as set up and init script on Linux machines.
SDBots are very active currently. It is written in C, sometimes poorly implemented, with
a limited command set, and the implementation not particularly sophisticated, but apparently
very popular with malware writers. As I will detail later in this paper, there is a sizeable
constituency of bot-herders who are relatively unskilled and who simply download and
implement ready-made malware programs from the Internet. I can make a broad generalization
that these so-called ‘script kiddies’ are the largest consumers of SDBot-type programs.
MiRC-based bots constitute most other implementations. They launch an instance of the
MiRC chat-client with scripts and binaries. Many link to DLL files which add new features to the
original script, such as using the scanners in the DLL scripts.
After exploitation, bots use Trivial File Transfer Protocol (TFTP), File Transfer Protocol
(FTP), HTTP, and IRC extensions to transfer themselves to the hosts. Binaries connect to a
master IRC server, using a dynamic DNS-generated IP address, so that the bot joins the rest of the
The server accepts the bot as a client, and the bot is relayed commands to spread itself. The
bot controller is able to authenticate himself to the IRC server in order to control the botnet.
Once in control, the hacker can search for sensitive information, launch a Distributed Denial of
Service(DDos) attack, enable keyloggers, look for account information or passwords, etc.
TCP ports 445,137(UDP),139(NetBIOS and 135(RPC) are frequent carriers of botnet traffic.
Port 445 (Microsoft DS Service) is used for resource sharing (Win 2k, XP, Server 2003).
5. Botnets and Alife
WWW.honeypot.net reports these ports account for more than 80% of all observed botnet traffic,
with XP and 2000 being the most prevalent software to be affected. Windows 2000 is much more
popular than XP for this purpose.
Botnets vary in size from a few hundred machines to 50,000(www.honeynet.org/papers/bots).
The large networks may use 5 IRC servers. Note that the servers themselves have been modified
in order to make tracing them more difficult. Many are not IRC compliant, so that they are
difficult to link to. Some skill in writing the same kinds of scripts the hackers use is often
necessary to ‘rehack’ back into the servers. Routing of botnets is often quite baroque, with
paths going through far-flung countries where extradition and prosecution of botmeisters is
difficult or ill-defined.
There is a certain irony that the IRC infrastructure used by botnets is often public in nature.
IRC channels such as Efnet, Undernet and Dalnet provide stable, scalable infrastructure over
which to launch attacks. IRC operates over a default port of 6667. IRC servers listen in a port
range of 6000- 7000, although any TCP port can be used if so configured. The term “bot “
derives linguistically from “robot”, and reflects the “automaton” nature of the enterprise.
It should be noted that “bots” have legitimate counterparts in the computer game and search
engine fields, the former being an agent in the game imbued with a certain amount of artificial
intelligence to perform actions in a quasi- independent fashion (such as an enemy soldier that
takes evasive action when fired upon), and the latter in the search-engine “spiders” that go from
website to website updating information for the central data fileservers of the search engines.
Of course, the malware agents utilize spiders and artificial intelligence for their own nefarious
purposes as well. The favored targets of botnets are servers with high bandwidth machines
connected to the Internet by broadband. The resulting “pipe” is ideal for large DDos attacks
6. Botnets and Alife
on networks. It would be futile for the botmeister to order a massive attack, only to find out that
half his botnet is shut down because the server he wished to channel the attack on is not in service
mode. Consequently, servers that are reliable and connected on a 24 hour basis are very desirable.
One highly unexplored defense against botnet attacks would be to build unreliability (or at least
random reliability) into the Internet as a whole. Any avid reader of John Le Carre’s spy novels
will know that randomness of behavior is a rudimentary but effective technique in maintaining
spy networks, but in the real world a corporation or institution lives or dies by its reputation for
consistent Quality of Service. Still, as the counterintelligence capabilities of the “White Hat”
server defenders grows, as it inevitably will as part of the continuing battle between hackers and
institutions, some variation of this tactic might prove effective for a time. Knowing that an attack
is planned, certain pipes could be made to become temporarily unstable, disrupting coordinated
attack efforts. At the very least, this would send the message that the operations of a botnet are
known and are being monitored effectively (if indeed it becomes desirable to relay such
knowledge to the attacker). Perhaps this tactic might be more useful in the hands of a ruthless
botnet rival, or a rival who has been “turned” by the forces of good. As the American computer
scientist Alan Kay put it, “The best way to predict the future is to invent it.”
Finally, botnet operators prefer vectors that are geographically far away from their true position,
run by people who are somewhat ignorant of network operations and management. Both of these
factors result in a lower threshold of detectibility for the attacker.
It is within the purview of IRC administrators to ban botnet operators from using their public
channels. This action would swiftly end the game for IRC botnets, and therefore the operators are
skilled at avoiding detection. Service providers like noip.com are used to dynamically map bots
with multiple IRC servers, obfuscating the ‘signature’ of the botnet. Complex passwords
are used to prevent other potential users from logging onto the network, and often the ‘handle’
7. Botnets and Alife
of the operator consists of only one or two letters. Survivability is a key element in the overall
psychology of botmeisters. Like a terrorist ‘cell’ the discovery of individual bots or infected
servers must not be linked back to the main organizational structure of the botnet, or like
Ariadne’s thread, it will lead to the center of the Labrinth, where the minotaur will find itself
destroyed. In this way, even if a server or host is banned from the IRC channel, the botnet will
We may fairly ask, what kind of data is worth this kind of effort to maintain a botnet?
Certain intellectual property, such as movies, mp3s, software, and warez find a ready market in
parts of the world where this output, at vastly lower prices than official channels charge.
There is a huge commodity market for credit card numbers, proprietary data stolen from
corporate laptops, medical data and the like. Botnets themselves have become a commodity.
They are now bought and sold like bundles of home mortgages in the bond market, or rented to
clients for a specific series of exploits . Certain businesses such as online casinos are regularly
subject to extortion. Their business model relies on an ‘always on’ posture. Any disruption of
service results in a breach of trust from gamblers, so they are particularly vulnerable to threats of
DDos. The mountains of personal information available from personal computers, email,
corporate networks and other sources means that botnets are a Phisher’s paradise. The level of
detail involved means that emails can be individually crafted to appeal to specific victims. This
results in more valuable personal data, such as social security numbers, but can also be used to
leverage future attacks on networks. The botnet may thus be’ multitasked’, providing additional
revenue in exchange for the use of the compromised network. One of the biggest and most
profitable uses for botnets is in delivering spam.
Bruce Schneier, the ubiquitous computer security maven, reported in his blog “Schneier on
Schneier” Feb 2, 2006, “Ancheta and SoBe[botnet operators] signed up as affiliates in programs
8. Botnets and Alife
maintained by online advertising companies that pay people each time they get a computer user to
install software that displays ads and collects information about the sites a user visits.”
This adds quasi-legitimate business to the list of uses for botnets. It may be noted that
Recently Google acquired the internet user tracking ad agency DoubleClick, raising the specter
that this particular ‘nefarious’ activity may soon become all too legitimate. A very recent (April
25, 2007) article in Slashdot details a recent trend which is germane to Google’s business model.
“Attackers apparently bought the rights to several high profile search terms, including searches
that would return results for the Better Business Bureau, among others. The story notes that this
Was bound to happen, given the way that Google structures sponsored links: ‘The bad guys
behind the attack appeared to capitalize on an odd feature of Google’s sponsored links. Normally,
when a viewer hovers over a hyperlink, the name of the site that the computer is about to access
appears in the bottom left hand corner of the browser window. But hovering over Google’s
sponsored links shows nothing in that area. That blank space potentially gives bad guys another
way to hide where visitors can be taken first.’ “ (www.slashdot.org/index.pl?issue=20070425)
Beyond the problems that currently exist with botnets, the greater nightmare may be that botnet
operators acquire legitimate channels, such as Google/ Doubleclick that are trusted sources for
millions of users. The profit potential of such a development would constitute a seismic shift in
the dynamics of the web and the botnet industry, particularly in countries where the legal and
regulatory environment is subject to bribes, lobbying, and other forms of persuasion. We may yet
see the day when botnets are a ‘feature’ of the Internet.
Recall my original thesis that botnets are essentially evolving digital organisms. They obtain
their fuel from gathering data. Yet they are in the end simply byproducts of the people who run
them, artifacts of the war between legitimate consumers, businesses and institutions and the
hackers and crackers whose interests are intimately tied to their financial and professional goals.
9. Botnets and Alife
Who are these people? What are their motivations? Can we posit a ‘profile’ to help us
to defeat them, or at least put up an effective defense? An interview with Washington Post
security computer blogger Brian Krebs, botnet herder ‘Witlog’ claimed he did it for ‘fun’.
Witlog’s specialty was installing adware-serving software. Krebs claimed he was making far in
excess of $6000 to $10,000 per month. He built a botnet to 45,000 PCs before botnet hunters
from the volunteer group Shadowserver caused his ISP to drop him. Witlog registered a new
bot control channel (Witlog.net this time instead of Witlog.com), and began rebuilding the botnet.
He is the modern version of a ‘script kiddy’, a semiskilled hacker who downloads scripts
from the Internet and plays with them. It is quite possible that the money he makes is ‘silly
money’, and that the motivation is the same as it always has been for this type of hacker-
notoriety and the desire for respect from his peer group. It is not for nothing that exploits are
commonly said to be ‘in the wild’. (http:blog.washingtonpost/securityfix.2006/03/post.html).
If you’re a woodmouse (or a PC owner), it matters little whether you are eaten by a weasel
like Witlog or a puma. Who are the pumas? It is at this juncture that the DNA of attackers
changes. In his blog, The RedTapeChronicles”, Bob Sullivan writes about international gangs of
hackers, “The bot network industry has become so profitable, and hijacked computers so valuable,
that rival gangs are now fighting over them.” The object of the fight is not physical, but to either
take over someone else’s network or knock it off line. Sullivan writes: “When the Storm worm
was released in Jan , it had a dual function. In addition to its spam functions, Storm-infected
computers were instructed to attack web sites run by the rival Russian Warezov gang…… The
sites had been set up as communications hubs for Warezov-hijacked computers. Without them,
the zombie computers did not know where to attack.”
The point is that botnets are now a business. In business, it’s important to advertise yourself
10. Botnets and Alife
as the leader. Sullivan quotes Jose Nazario, a security researcher at Arbor Networks,
“A single denial-of-service attack on a gambling website can cost $50,000 a day.”
Sullivan puts the number of infected computers at perhaps 100 million, although it is hard
to see how anyone could come up with a truly accurate estimate. He claims the top gangs are in
Russia, Brazil, and Eastern Europe. Sullivan quotes David Marcus, security research and
communications manager at MacAfee: “ Bot herders are typically young-perhaps 18-25—often
only a little bit older than a teenage hacker. They are nearly always men. And they tend to live
in an area where traditional, big money computing jobs are hard to find. [The gangs] watch for
bright kids and they start them on small tasks, like, ‘Find me 100 passwords and I’ll give you
1000 rubles.” Marcus said that more aggressive recruitment sometimes involves actually sending
recruits to college.
We have, I think, sufficiently demonstrated the nature and scope of the botnet problem.
The next logical step is to ask what to do about it. As long as the owners of PC’s which are
subject to recruitment into botnets are not motivated to take proactive measures, the existence
Of botnets will be a given. PC owners are affected by spam, of course, as is everyone else on
the Internet, but the very ubiquitousness of the phenomena manifests in a certain resigned
attitude. Beyond that, the average user might notice a certain amount of slowdown, and personal
data will be compromised, but we can expect no concerted effort by consumers towards
preventing their machines from being affected. A great deal of good could come from fostering
awareness of the problem, but efforts to raise consciousness about the operation of computers run
exactly counter to the intentions of large corporate interests such as Microsoft, who advertise
convenience and operating systems that ‘just work’. The popularity of computer science in
the United States has declined markedly since corporations decided that their knowledge assets
should have a basis in cheaper countries such as India and China. Computer Science is hard
11. Botnets and Alife
work, and more lucrative employment futures are seen to be elsewhere by candidates for higher
That leaves the ISP’s and network administrators, plus the government and vendors of
security products. The ISP’s can ban a domain name from their services, but we have seen in the
case of ‘Witlog’, such strictures are easily circumvented. IRC channel administrators are also
subject to circumvention. The government (in this country) Has chosen to increase penalties after
the perpetrators have been caught- if they can be caught. Security product vendors stand to make
a great deal of money if they can come up with effective anti-bot products. As an example,
McAfee launched a ‘bot-killing system’ in 2006. Techworld reported, “Unlike conventional DDos
systems based on the statistical analysis of traffic, the first Layer of the new Advanced Botnet
Protection(ABP) intrusion prevention system (IPS) uses a proxy to pass or block packet traffic
dependant on whether or not it is ‘complete’.” The system depends on the concept of SYN
cookies, not a new idea. SYN cookies amount to particular choices in initial TCP sequence
numbers by servers. This defends against SYN flood attacks by avoiding dropping connections as
the SYN queue fills up- the server acts as if the queue had been enlarged.
What can the administrator do? Most of the existing approaches are defensive in nature. A bot
needs a vulnerability or misconfiguration to exploit. In theory, if there were no vulnerabilities, the
entire attack would fail. But much can be done in ensuring that the network is properly
patched and configured, and IDS have signatures to protect against common exploits. The
problem is that signatures need to be updated at a dizzying pace to keep up.
Another approach is to interrupt communications between botnets and their herders.
This can be accomplished by blocking the bots from communicating on the IRC channel.
A firewall in some cases can block these communications by filtering outgoing traffic, although
such protocols as HTTP may be impossible to block without destroying the functionality of the
12. Botnets and Alife
network itself. Covert channels and encrypted data streams may also be hard to detect and stop,
although protocol anomalies make it technically possible in some instances. Other solutions
such as honeypots are also feasible, but if not properly configured, can actually be used by an
attacker to break into the system.
The problem of bots is technically not solveable at this time. If my thesis about the
resemblance of botnet evolution to artificial life evolution is correct, the real problem may not
even have arisen yet. In biological life, a plague continues until it becomes inefficient to infect
hosts, because there are not enough left to infect, and the ones who are left have developed natural
immunities. It is doubtful that the entire Internet will face extinction because of botnets
or their successors, because without the Internet the vector that produces profit for the botnet
owners will disappear. At a certain point, therefore, a balance will be struck, with a usable
Internet laced with botnets. The question is, how much power will the botnet owners have?